Internal

Further Research

An area of research we are leading to improve botnet tracking is in malware collection. Under the project name mwcollect2 the German Honeynet Project is
developing a program to "collect" malware in an simple and automated fashion. The mwcollect2 daemon consists of multiple dynamically linked modules:

Vulnerability modules:
They open some common vulnerable ports (e.g. 135 or 2745) and simulate the vulnerabilities according to these ports.

Shellcode parsing modules:
These modules turn the shellcodes received by one of the vulnerability modules in generic URLs to be fetched by another kind of module.

And finally, Fetch modules which simply download the files specified by an URL. These URLs do not necessarily have to be HTTP or FTP URLs, but can also be TFTP or other protocols.

Currently mwcollect2 supports the simulation of different vulnerabilities. The following two examples show the software in action. In the first example, mwcollect2 simulates a vulnerability on TCP port 135 and catches a piece of malware in an automated fashion:

With the help of just one sensor in a dial-in network we were able to fetch 324 binaries with a total of 24 unique ones within a period of two hours. The uniqueness of the malware was computed with the help of md5sum, a tool to compute and check MD5 message digests.

The big advantage of using mwcollect2 to collect the bots is clearly stability: A bot trying to exploit a honeypot running Windows 2000 with shellcode which contains an jmp ebx offset for Windows XP will obviously crash the service. In most cases, the honeypot will be forced to reboot. In contrast to this, mwcollect2 can be successfully exploited by all of those tools and hence catch a lot more binaries this way. In addition, mwcollect2 is easier to deploy - just a single make command and the collecting can begin (you however might want to change the configuration). Yet the downside of catching bots this way is that binaries still have to be reviewed manually. A honeypot behind a Honeywall with snort_inline filtering out the relevant IRC traffic could even set up the sniffing drone automatically after exploitation.